Professional Documents
Culture Documents
Data Analysis
Technologies
Global Technology Audit Guide (GTAG®) 16
Data Analysis Technologies
Authors:
Altus J. Lambrechts, CISA, CRISC
Jacques E. Lourens, CIA, CISA, CGEIT, CRISC
Peter B. Millar
Donald E. Sparks, CIA, CISA
Reviewers:
The IIA–South Africa
Chartered Institute of Internal Auditors (U.K.)
August 2011
Copyright © 2011 by The Institute of Internal Auditors located at 247 Maitland Avenue, Altamonte Springs, FL 32701, USA.
All rights reserved. Published in the United States of America.
Except for the purposes intended by this publication, readers of this document may not reproduce, store in a retrieval system,
redistribute, transmit in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — display, rent,
lend, resell, commercially exploit, or adapt the statistical and other data contained herein without the permission of The IIA.
The information included in this document is general in nature and is not intended to address any particular individual, internal
audit activity, or organization. The objective of this document is to share tools, resources, information, and/or other knowledge that is
accurate, unbiased, and timely. However, based on the date of issuance and changing environments, no individual, internal audit
activity, or organization should act on the information provided in this document without appropriate consultation or examination.
GTAG — Table of Contents
Executive Summary..........................................................................................................................................2
Introduction.....................................................................................................................................................3
Conclusion........................................................................................................................................................16
1
GTAG — Executive Summary
1. Executive Summary This guide aims to help CAEs understand how to move
beyond the tried and true methods of manual auditing toward
Change can be difficult for anyone. Inventor Charles improved data analysis using technology. After reading this
Kettering once said, “The world hates change, yet it is the guide you will:
only thing that has brought progress.” This adage is particu- • Understand why data analysis is significant to your
larly true when it comes to moving beyond the tried and true organization.
methods of manual auditing towards computer assisted audit
techniques (CAATs) and the use of data analysis. • Know how to provide assurance more efficiently
Although internal auditors have been doing data analysis with the use of data analysis technology.
for more than 25 years, it has only recently started to become • Be familiar with the challenges and risks that you
standard practice. By our nature, most accountants and audi- will face when implementing data analysis tech-
tors are inclined to stick with what has worked in the past, nology within your department.
rather than reach outside our comfort zones for an alterna-
tive that could help us accomplish more. What we should be • Know how to incorporate data analysis at your orga-
asking ourselves is, “Could we do something electronically nization through adequate planning and appropriate
in 20 minutes that would normally take us 20 hours, and resource structures.
possibly improve the quality of our work as a result?” • Recognize opportunities, trends, and advantages of
Because all organizations are impacted by IT in various making use of data analysis technology.
forms, it is nearly impossible to conduct an effective audit
without using technology. Current audit standards already
require consideration of the use of data analysis for good To further assist CAEs and other individuals who use this
reason. The use of data analysis allows auditors to view high- guide, we also have included a detailed example of the appli-
level organizational operations and drill down into the data. cation of data analytics to procurement control activities in
It can be used throughout all phases of an audit. It also can Appendix A. Consistent with where most data analysis starts,
be used to identify errors, which may lead to the discovery these examples are largely focused on simple data matching
of fraudulent activity. While technology may be used to and reperformance of automated system functionality used in
improve the audit and reduce the time necessary to complete providing assurance.
the engagement, some auditors may still be reluctant to make
the switch.
While data analysis could theoretically be performed
manually, it is most effective when implemented using data
analysis technology. It is important for chief audit execu-
tives (CAEs) and their staff to realize that the use of data
analysis technology is not limited to the scope and activities
associated with IT audit alone. The use of technology-based
audit techniques in general and data analysis technology
in particular is far more widespread. The IIA defines tech-
nology-based audit techniques as, “Any automated audit
tool, such as generalized audit software, test data generators,
computerized audit programs, specialized audit utilities, and
CAATs.”1 Owing to the broad scope of this definition, the
focus of this GTAG is on data analysis technologies. The use
of data analysis technology is part of the bigger technology
armor that assists auditors in increasing audit coverage,
performing more thorough and consistent audits, and ulti-
mately increasing the levels of assurance that they provide
their organizations.
www.theiia.org/guidance/standards-and-guidance/ippf/standards/
1
glossary
2
GTAG — Introduction
3
GTAG — I ntroduction
Trends
There is increasing pressure on audit departments to do
more with less. Internal audit’s role is at the forefront as the
profession looks to provide more assurance and transpar-
ency to the audit committee and senior management around
everyday organizational activities. To accomplish this, the
current focus of many audit teams is to enhance the quality
of their work and effectiveness of the department using tech-
nology. They need to be more productive and better focused
on emerging risks. Audit teams also are seeking to deliver
timely value to the enterprise by distributing, tracking, and
escalating potential issues for better organizational insight
and control.2
Benchmarking Survey.
4
GTAG — How Can Data Analysis Help Internal Auditors?
5
GTAG — How Can Data Analysis Help Internal Auditors?
This can help internal audit define and create an audit plan data populations. Once initial analysis is done, efforts can
that focuses on the areas of highest concern. The internal be focused on areas where exceptions were found, making
audit activity should consider prioritizing the use of data more efficient use of audit resources. The ability to automate
analysis for risk assessment during the audit planning stage, repetitive tests by using analytic scripts increases overall
where the data is available, and where this approach is departmental efficiency and allows for greater insight into
applicable. high risk areas. Results and scripts should be stored in a
Data analysis technology can be effectively employed to centralized repository allowing audit team members to review
identify indicators of risk in a variety of processes. Consider findings and access and re-use analytic procedures.
the following examples:
Preparation
Data access and preparation can be a challenging step within
the audit process. Requests to IT departments can take weeks
and the resulting data can often be incomplete or incorrect,
making for an inefficient process. By using data analysis tech-
nology during the audit preparation phase, many of these
delays can be avoided. Auditors skilled in the use of data
analysis can source the data required for the audit engage-
ment, do data integrity and validity checks, and prepare test
routines for staff auditors to use once the audit commences.
This will provide audit teams with streamlined access to
reliable data sets or even automated access to multiple data
sources to allow for quick and efficient analysis of data. Data
should be housed in a centralized repository allowing the
audit team to analyze data sets according to their authoriza-
tion and need for access.
Testing
A great deal of audit testing uses organizational data to some
extent — often to a significant extent. Due to ever increasing
amounts of data, some auditors have relied on techniques
such as sampling or spot checks. These techniques may
be ineffective at uncovering anomalies and indicators of
failed or inefficient internal controls. To improve effective-
ness in the search for errors and unusual transactions, audit
teams can use data analysis technology to analyze entire
6
GTAG — Using Data Analysis Technology
4. Using Data Analysis unknown issues. And just as important, internal audit leaders
know and are confident the audit tests being conducted are
Technology done in a manner consistent with their directions. And while
they may not roll out the software to 100 percent of the staff
initially, in a few short months many staff would be able to
4.1 Data Analysis Software Tools perform data analysis.
As with the adoption of any software tool or technology,
Leading internal audit activities have a lot in common when
initial product acquisition cost should be considered, in
looking for data analysis tools. They look for data analysis
addition to ongoing maintenance and support costs for the
tools (i.e., software) that are easy to learn and can realisti-
technology(s) selected. A needs assessment should be carried
cally be used by the entire audit staff, not just a select few.
out to ensure that the technology(s) selected are appropriate
The software must measurably improve audit techniques
for the intended usage — ranging from ad hoc, mobile use to
and shorten audit cycles right out of the box. Investments
centralized processing of large volumes of data. This should
in time and skills to develop analysis routines created during
take into consideration not only the immediate needs being
one audit can be used again on the same or similar audits
addressed, but also what capability levels are envisioned for
leading the function forward into continuous audit/moni-
the future. This needs assessment may result in hardware
toring processes.
acquisition costs for laptop computers, centralized server
Purpose-built data analytic technologies for audit
hardware, or additional data storage capacity.
have been around for over 20 years. Yet according to the
The use of data analysis technologies also requires the
PricewaterhouseCoopers 2010 State of the Internal Audit
support and commitment of an organization’s IT department.
Profession Study, auditors for the most part are not taking
The CAE should engage in planning with IT resources up
advantage of them effectively. The following chart illustrates
front to highlight the overall data analysis strategy, sought
the areas in which data analysis technologies are being used
after benefits, and data access requirements of the audit
most frequently.3
department. Data access protocols should be established up
When the right software is implemented, the results can
front, and any risks identified relating to the access, sharing,
be significant. Successful internal audit functions have
and storage of sensitive data should be addressed. This may
stakeholders that recognize the efficiencies in audit processes
entail the implementation of centralized data analysis capa-
and appreciate audit results that regularly disclose previously
bilities, where client/server architecture is implemented, or
the need for data encryption
and protection software to safe-
guard the organization from
Use of Data Analytic Technologies data loss.
30%
4.2 Auditor Skill Sets
n Purpose-built
Data Analysis In deciding to implement
20% Technologies data analysis within an audit
department, the CAE needs to
10% n Other consider the skill sets that exist
within their department. For
0% some, the concepts involved
Control Data Substantive Continuous Continuous
in accessing and working with
Analysis Analysis Testing Controls Auditing
Monitoring data are beyond their experi-
ence or comfort level. The
Adapted from: A future rich in opportunity: Internal audit must seize opportunities to enhance its relevancy PricewaterhouseCoopers
3
2010 State of the Internal Audit Profession Study, March 2010, p.22.
7
GTAG — Using Data Analysis Technology
n Provides the ability to automate audit tasks to • Manually maintained data. Using data that
increase audit efficiency, repeatability, and support has been maintained manually can pose problems
for continuous auditing. pertaining to data integrity as change controls
might be lacking or ineffective. Whenever possible,
internal auditors should use automated data as the
CAE needs to determine if an investment in training of basis for the analysis and verify it against existing
existing personnel is needed, or if hiring of new staff with manually maintained data.
data analysis expertise is more appropriate. In either case,
some degree of training and professional development will The benefits of using data analysis are many, however,
most likely be required. This should be budgeted for in terms the items above should be considered by the CAE in imple-
of both time and money as an ongoing cost to ensure the menting and executing an effective data analysis strategy.
long-term success of their data analysis implementation. Many of these challenges and risks can be addressed through
professional development of audit staff, modification of audit
4.3 Potential Barriers procedures, and the technology selected for audit’s use. For
further guidance on how to provide assurance around the use
While the benefits of using data analysis technology are
of data analysis technologies and other user-developed appli-
generally well known, adoption rates show that there are a
cations, please refer to GTAG 14: Auditing User-developed
number of barriers to overcome before more widespread use
Applications.
of data analysis can occur. The CAE should be cognizant
of these barriers and address them to realize the gains data
analysis technology enables. The barriers include:
8
GTAG — Elaboration on Key Technology Concepts
9
GTAG — Elaboration on Key Technology Concepts
or deficiencies. When using data analysis, auditors should the auditor needs to have a data analysis tool that allows
always check the data for validity errors. Getting the correct them to visually present these data files in relationship to
and complete data is a prerequisite of effective data analysis. one another.
For instance, do the numeric fields in the source data contain When using data analysis, auditors need to compare and
valid numbers — or are characters present in this field or contrast diverse sources of information, validate data integ-
are there blank entries? Do key fields, such as social security rity and accuracy, and look for patterns and anomalies
or social insurance numbers, contain valid entries? Does the in data. The audit process may need to support assertions
data contain records within the expected date range or is it inherent in published financial statements such as complete-
under- or overrepresented in the data set? When source data ness, accuracy, occurrence, valuation, and presentation. Data
errors are identified, data extracts should be repeated to get analysis software may have algorithms designed to perform
the expected data range, data cleansing activities should be these tests without having to program custom queries or
conducted to correct faulty data fields, or “bad data” should macros to reduce the audit risk in user developed applica-
be isolated from the main analysis and subsequently investi- tions (UDAs). For additional guidance related to UDAs, see
gated to see if it substantially impacts the overall assessment GTAG 14: Auditing User-developed Applications.
of the audit. Purpose-built data analysis software will have commands
and functions that look for duplicates; detect gaps in numeric
5.1.2 Audit-specific Capabilities sequences; and group transactions by type, numeric range,
and age. The ability to filter vast amounts of data quickly
Data analysis technology for internal audit’s use needs to
and efficiently also is a key requirement. Advanced pattern
have the features and functionality that auditors require
detection techniques, such as digital analysis, are extremely
to do their job effectively. Not only should it deal with the
helpful when seeking anomalies in data.
data access challenges, but it also needs to support the way
When comparative analysis is required, the technology
in which auditors work and the types of analytics that are
needs the ability to merge data files (often from different
appropriate to the audit task.
sources and in different formats) and look for matched or
Some aspects of data analysis involve assessing the integ-
unmatched records. For tasks requiring the comparison of
rity of organizational processes and practices, evaluating the
data from numerous sources, the ability to relate diverse data
efficacy of controls, conducting risk assessments, and, in
sets together also may be necessary. Because the audit process
some cases, fraud detection. Invariably this means that data
often involves retrospective analysis of vast amounts of data,
must be analyzed from a diversity of sources to seek patterns
an effective data analysis technology needs highly efficient
and relationships. Auditors need to organize their view of the
read algorithms to process millions of records rapidly. These
company data in a way that suits the audit objectives.
algorithms must be powerful and reliable to perform tasks
This view gives users the ability to set an appropriate
either quickly in interactive data analysis or for sustained
context from which to compare and contrast data from
periods of time in lengthy and complex automated analysis.
diverse sources. For example, if part of an audit process is
Depending on the nature of the audit work being done, this
fraud detection, data analysis may be used to great effec-
interactive work can be ad hoc for planning, initial scoping,
tiveness. One might compare an employee master file with
or investigative work. It also can be scripted for repetitive
an approved vendor database. If there is a match between
analysis of organizational processes from period to period,
an employee’s address and the address of a vendor, it might
such as quarterly reviews of key controls. In organizations
indicate the presence of a “phantom vendor” and that an
that want to implement a continuous auditing methodology,
employee is attempting to perpetrate fraud. In such a case,
Seeking documented conclusions Seeking to improve the efficiency, consistency, and Seeking timely notification of trends, patterns
and recommendations. quality of audits. and exceptions.
Supporting risk assessment and enabling audit
efficiency.
10
GTAG — Elaboration on Key Technology Concepts
the data analysis technology selected must be able to support audit management that opinions expressed in audit reports
the scheduling and automation of data analysis tests. are accurate and that the audit recommendations are sound.
An example of an ad hoc analysis could be ‘suspicious A final benefit of an audit trail is the ability to recall
vendor’ and ‘phantom employee’ analysis for acquisition previous results. An audit trail records not only the
due diligence. An audit team member could generate a few commands and functions used to identify exceptions and
specific queries comparing vendors to employees to see if anomalies, but also intermediary and final results. In this
there is a match. If there is, this may be an area warranting way, auditors may compare past findings with current find-
deeper analysis. Ad hoc is often explorative and investigative ings to see if the recommendations have been acted upon, or
in nature and helps target high-risk areas for more involved if there is a substantive shift in the behavior of the organiza-
analysis. tion that may be an indicator of emerging risk.
A repetitive analysis example could be a quarterly journal If meaningful results or insight are achieved through a
entry analysis. Data analysis can be used to help validate the data analysis process during an audit, they are probably
operating effectiveness of controls in this area and identify worth repeating again in the future. An effective technology
control failures — even in manual controls. For instance, enables simple and straightforward task automation. Effective
data analysis can be used to identify: technologies provide for a variety of ways to automate analyt-
ical tasks either through a “task recorder” functionality or
• Journal entries by unauthorized or restricted users. through the selection of commands recorded in the audit
• Duplicate journal entries. trail.
It is through task automation that auditors themselves
• Invalid account postings. may create batteries of tests to streamline the overall audit
• Journal entries pre- and post-period close. process and contribute to the aspects of continuous auditing
involving the recurring analysis of data to identify indicators
• Frequently reversed journal entries. of failed controls, noncompliance, and fraudulent activity.
11
GTAG — Elaboration on Key Technology Concepts
is usually ad hoc by a limited number of audit staff and may Level 4 – Automated
be unplanned.
This use of data analysis helps auditors rapidly gain insight
into risk and control issues in a given audit area. However,
there is room for improvement. The use of data analysis tech- Define the term Continuous Auditing.
nology can be better integrated into audit procedures and at Solution:
different stages in the audit cycle. This requires an invest-
ment in changing audit processes — educating audit staff in “Continuous auditing is any method used by audi-
the concepts of data analysis and the technology itself. tors to perform audit-related activities on a more
continuous or continual basis. It is the continuum of
Level 2 – Applied Analytics activities ranging from continuous controls assess-
ment to continuous risk assessment — all activities
Usage at this level builds on the basic level and is charac-
on the control-risk continuum. Technology plays a
terized by data analysis being fully integrated into targeted
key role in automating the identification of excep-
audit processes. Both audit planning and the design of an
tions and/or anomalies, analysis of patterns within
audit program take data analysis into account — effectively
digits of key numeric fields, analysis of trends,
creating a “data analysis-enabled audit program.” Within this
detailed transaction analysis against cut-offs and
more structured approach to using data analysis, compre-
thresholds, testing of controls, and the comparison
hensive suites of tests may be created, reviewed, and subject
of the process or system over time and/or other
to quality assurance procedures. Usage is often progressive,
similar entities.”
with additional tests being added over the course of time and
during each repetition of an audit process.
~GTAG 3: Continuous Auditing: Implications for
At this stage, data analysis begins to transform the audit
Assurance, Monitoring, and Risk Assessment.
process, providing substantial improvements in efficiency,
levels of assurance, and the overall value of findings. Certain
tasks can be performed in a fraction of the time it previ-
ously took, thereby enabling audit to focus on areas of new The Automated level builds on the capabilities estab-
or evolving risk. lished to support Managed Analytics. The building blocks
established at the previous levels form the basis for increased
Level 3 – Managed Analytics automation of analytic processes and, where appropriate,
The Managed level is the logical evolution from the the implementation of continuous auditing. Data access
Applied stage. This increased level of sophistication is protocols have been established for the automated running
in response to some of the challenges inherent in a more of analytic tests. Comprehensive suites of tests have been
widespread, decentralized use of data analysis. In this more developed, tested, and are available in a central, controlled
organized and controlled approach to data analysis, data, environment.
audit tests, results, audit procedures, and documentation are However, continuous auditing requires more than
housed in a centralized and structured repository. Access to addressing technology issues. It requires a significant shift
and use of this content is aligned with key audit procedures in audit processes compared to traditional auditing methods.
and is controlled and secure. This makes it more practical for Most internal audit departments commence continuous
nontechnical audit staff to access and use the results of tests. auditing in one area and then expand to additional areas over
Once data analysis is managed centrally, audit teams can time as appropriate procedures are established. The result of
benefit by increased efficiency through the sharing of data the use of automation is that it becomes possible to perform
analysis work (data, tests, and results). Data analysis use is concurrent, ongoing auditing of multiple areas.4
repeatable, sustainable, and easier to maintain the overall While effective continuous auditing provides clear benefits
quality and consistency of analytic work. It is at this level in terms of audit productivity and effectiveness, there remains
that the basic building blocks for continuous auditing are a risk that findings are not communicated to management or
in place. One of the key benefits of this level is also that are not acted on in a timely manner by management to add
of making the whole process more sustainable by reducing value to the business through improved controls and business
the risks of relying on individual specialists who may leave, performance. When implementing a continuous auditing
taking critical knowledge with them. Analytic procedures at
this level are well documented and centralized in a way that
makes review by management easier and more efficient.
4
For additional information on continuous auditing, please refer
to GTAG 3: Continuous Auditing: Implications for Assurance,
Monitoring, and Risk Assessment.
12
GTAG — Elaboration on Key Technology Concepts
5
Continuous monitoring and continuous auditing: From idea
to implementation, © 2010 Deloitte Development LLC
13
GTAG — Where Should Internal Auditors Begin?
6. Where Should Internal methodology to how they evaluate risk, validate the efficacy
of internal controls, and identify areas of noncompliance.
Auditors Begin? This also assists how they interpret the results of analysis
performed. Are the results indicative of poor internal
A reality of today’s highly automated world is that almost controls, system deficiencies, poorly trained staff, or indica-
every auditor must analyze data. What was once considered tors of fraud? By understanding data, these determinations
a special expertise, a job for IT auditors, or a task that was can be made and will assist in improving audit performance.
easily outsourced to another department or organization, Training also is necessary for the effective use of the
has become a core competency for the profession of internal technology selected. The internal audit department should
auditing. establish what their desired end-state of technology use is
Internal audit leadership can start the process by first (i.e., ad hoc use, highly automated audit routines, or imple-
assessing the strategic goals of the data analysis activities menting continuous auditing). A training regimen needs
of their function. There are many software products on the to be put in place with the outcome in mind to ensure it is
market that will catch the attention of staff. Proceeding achieved according to established project schedules.
without first establishing what the function needs to achieve
and how to achieve it can cause the process to fail. Roles and Responsibilities. Auditing is a team activity
that requires different roles to ensure effectiveness and
Internal Audit Leader Strategies
quality of work accomplished. In small departments, staff
for Data Analysis Clarified
may be responsible for more than one role. CAEs may want
Defining and executing a strategic plan supported by and to consider establishing specialized roles within their audit
aligned with management and the audit committee is a good teams to effectively deploy data analysis software tools. Some
place to begin. Depending on the starting point, this may of the key roles could be:
require internal audit leaders to take a hard look at all aspects
of their scope, people, processes, and technologies, and really • Data Specialist – Member of the audit team or an
explore whether or not they have the right strategy and capa- IT resource assigned to the audit team who has
bilities in place. It is hard to bring about significant change a detailed understanding of the organization’s IT
without a plan. Internal audit organizations that break down infrastructure, data sources, and how to access
their vision and goals into key initiatives that can be tackled relevant data to be analyzed. They will understand
logically and systematically also are the ones most likely to how to access large volumes from disparate systems,
succeed in driving value in their organizations. prepare that data for analysis, and make that data
While this GTAG is focused on data analysis technology, available to the team.
it is important to point out that technology alone will not • Data Analysis Specialist – Member of the internal
achieve the desired outcomes and benefits articulated herein. audit team who is well versed in the detailed use
For internal audit departments to be successful and achieve of the technology of choice, and who will perform
rapid and recurring returns on their software investment, advanced query and analysis, create and manage
three key areas need to be addressed: people, process, and automated audit routines, and validate and share
technology. results of the analysis across the team.
Without addressing each of these key areas, an effective
data analysis program will not be possible. • Staff Auditors – These members of the internal
audit team will have a general understanding of data
People and data analysis software, and will have sufficient
While internal audit departments vary in size and struc- competency to review and interpret the results of
ture, there are certain functions that need to be addressed automated analytic routines and perform simple
— either by an individual or several staff members. The analysis (sorting, filtering, grouping, and profiling).
larger the department, the greater the degree of specializa- They also will be trained to document and report on
tion can occur. the findings of the analysis performed.
• Internal Audit Leadership – The team’s leaders
Training and Education. Internal audit departments need should have visibility into what audit steps have
to be educated on the concepts of data, data analysis, and been automated or are dependent on the use of data
the interpretation of analytical results. With the adage “the analysis software. This will assist in the oversight
truth is in the transactions,” auditors can change the way of audit activities and overall audit coverage and
they think about examining organizational processes or lets audit leaders review analytic findings across the
compliance requirements. With a deeper understanding of team and against audit plan objectives.
how an organization’s activities get recorded electronically
in data files and databases, auditors can apply a data-driven
14
GTAG — Where Should Internal Auditors Begin?
Obstacles
Embarking on an increased focus on data analysis using
technology will likely have obstacles and challenges. The
most common obstacles include underestimating the effort
required to implement correctly, lack of sufficient under-
standing of the data and what it means, and the need to
develop the expertise to appropriately evaluate the excep-
tions and anomalies observed in the analysis. These and
other obstacles are best addressed through a well thought out
plan that commits sufficient resources and time.
A decision to invest in implementing or improving data
analytic capabilities needs to be appropriately managed to
ensure maximum benefit is obtained, with the least amount
of cost. A few recommendations to help accomplish these
goals are:
15
GTAG — Conclusion
7. Conclusion
Because almost every activity conducted in an organization
is either enabled or impacted by technology in one form or
another, it is nearly impossible to conduct an audit without
using technology. Current audit standards require the use
of data analysis for good reason. The data that is processed
and collected by organizations is, in essence, the electronic
life-blood of that organization. Being able to scrutinize and
evaluate the overall health of an organization by analyzing
data is a necessity.
To that end, data analysis should be viewed as an enabling
technology that can deliver great value to internal audit in
the areas of improving efficiency, effectiveness, and levels
of assurance that can be provided. Its impact is not limited
solely to reducing the amount of time to conduct an audit
but also to aid in the detection of errors, control breaches,
inefficiencies, or indicators of fraud. Additionally, leading
practitioners also are finding better and more effective ways
to determine what audits to perform, what areas are high risk,
and what business processes require greater attention during
detailed audit work. When employed across the audit cycle
— from data-driven to insights in risk assessment, planning
and preparation, testing, review, and reporting — internal
audit can dramatically increase the value it provides and
enhance its reputation within its organization.
Deciding where and when to use data analysis should be
a strategic decision made by the CAE. By employing data
analysis, it must be recognized that there will be changes to
what audit staff need to know, what processes and activities
need to be carried out, and what technology or technologies
can be leveraged to gain the desired benefits. Getting the
right data, understanding what the analytics are indicating,
and following up on the results of analysis can be a signifi-
cant task. The returns, however, can raise the level of respect
for internal audit departments and the profession as a whole.
16
GTAG — Appendix A: Example – Data Analysis for Procurement
The person who creates the PO Obtain a list of all POs created (by originator)
can’t release/approve the same Obtain a list of all POs released or approved
PO. Determine if any inappropriate segregation of duties (SOD)
existed.
Receiving of goods All goods received (GR) are Obtain a list of all GR and all POs placed
validated against PO. Validate that quantities are the same.
The person who created the PO Obtain a list of who signed for the GR (processor)
can’t process any goods that are Obtain a list of who created the PO
received. Determine if any inappropriate SODs existed.
Invoicing PO should be created before Compare PO dates against invoice dates and make sure there
supplier invoice is received. are no POs dated after invoices dates.
Amount on PO should agree Compare the PO amount against the invoice amount
with amount on invoice. Validate that there are no differences.
Segregation of duties (SOD). Obtain a list of who has processed invoices and who created
the PO
Determine if any inappropriate SODs existed.
Payment Application should not allow Obtain a list of all payments that have been made to vendors
duplicate payments. in the last 12 months
Determine if duplicate payments have been made, for
example:
• Same vendor ID and amount but different invoice number.
• Same vendor ID and invoice number but different amounts.
• Different vendor ID with same bank account detail.
Segregation of duties (SOD). Obtain a list of who has processed payment and of who cre-
ated the PO
Determine if any inappropriate SODs existed.
Updating vendor Ensure that duties are properly Obtain the procurement end-user list (users that have access
records and adding segregated to guarantee ap- to the procurement application and the functions that each
new vendor files propriate control. user has)
Determine what functions are conflicting and create a report
that identifies those users.
17
GTAG — Appendix A: Example – Data Analysis for Procurement
Procurement
Identify key fields (e.g. bank Obtain a list of staff bank accounts with direct deposit
account detail that should be Compare account information with the bank detail that was
monitored through manage- updated on the vendor record.
ment sign-off).
Sufficient application 1. Valid code test. 1. Obtain a monthly download of program code within the
controls to ensure procurement application Determine if any changes were
accurate input, pro- 2. Check digit. made to the code through data analysis.
cessing, and output 3. Field check. 2. Obtain the standing data of vendors Validate that the
4. Limit test. Income Tax number captured is the correct length.
5. Reasonableness check. 3. Obtain the standing data of vendors Validate that only
numerical values are captured in the bank account and
6. Sequence check. phone number fields.
7. Batch control totals. 4. Obtain a list of all procurements that were made in a
month Validate that all payments above a certain
amount (e.g., US $50,000) were authorized by the
appropriate user.
5. Obtain a list of all procurements made in a month
Create a trend analysis, per vendor or per procurement
type, to identify transactions out of the ordinary.
18
GTAG — Appendix B: Ranking Matrix for
Data Analysis Software Selection
14 Global presence
15 Years in business
16 Multiple languages
17 Help desk available
18 Ease of doing business; knowledgeable in auditing needs
19 Regular software upgrades
20 Training readily available
21 User group program for networking with other users of the software
22 Knowledgeable consultants independent of the provider readily available
23 Getting started programs available
Technical Features & Functionality
19
GTAG — Appendix B: Ranking Matrix for
Data Analysis Software Selection
20
GTAG – Appendix C : Audit Department
Data Analysis Usage Maturity Levels
Integrated Data analysis is used in every applicable audit en- Top-down support to meet functional strategic
gagement, and in each stage of the audit cycle from directives is in place. It is recognized that data
risk assessment, planning, preparation, testing, issue analysis can assist internal audit in providing
follow-up, and reporting. Proficiency in data analysis heightened levels of assurance by looking for
technology is a job requirement for some or all of unauthorized, incomplete, or inaccurate data or
the audit staff, depending on its size and make-up. seeking indicators in the data that can lead to
Close integration exists with IT and the rest of the recommendations to improve the organization’s
organization regarding access to pertinent data and overall performance.
dissemination of results.
Isolated and The audit department has some individual or single Some false starts and activities not necessarily
Occasional resources versed in the use of data analysis soft- sustainable for a long period. Acquire profes-
ware. Oftentimes the role of data analysis has been sional data analysis tools without the opportuni-
centralized to one individual. Application of data ty to fully implement. Realize that “peer” groups
analysis in audit programs is sporadic and unformu- may be making significant strides. Push for data
lated. Challenges exist in acquiring data from IT. analysis skills more bottom-up driven.
Reliant Primarily Audit processes make use of spreadsheets for light Starting to recognize the need for independent
on Spreadsheets analysis (sorting, calculating, control totals, sums, verification and objectivity. Starting to become
etc.), sampling of small data sets, limited use of aware of the possibilities. Generalized software
macros to locate anomalies in subpopulations of tools employed with known limitations.
data.
Print/ Auditors spot-check printed copies of documenta- Relying on the work of others. Development of
Paper-based tion seeking evidence of controls compliance. data analysis skills are in its infancy, in the plan-
ning stages at best.
21
Your Trusted Partner for Audit Analytics
acl.com/steps
IDEA
IDEA has over 120,000 active users globally, many of
CaseWare IDEA Inc. is pleased whom are IIA members. Auditors in over 90 countries in
to support the internal audit 16 languages use IDEA to outperform peers and exceed
profession and the IIA as a the expectations of clients, employers and regulators.
Principal Partner.
For more information about IDEA and to request a Free
For over 20 years, IDEA – Data Analysis Software has set the
standard for ease-of-use, performance and functionality.
A Global Technology Audit Guide (GTAG) is a type of Practice Guide that is written in straightforward business
language to address a timely issue related to information technology management, control, or security.
For other authoritative guidance materials provided by The IIA, please visit our website at www.theiia.org/
guidance.
Disclaimer
The IIA publishes this document for informational and educational purposes. This guidance material is not
intended to provide definitive answers to specific individual circumstances and as such is only intended to be used
as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specific
situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance.
Copyright
Copyright ® 2011 The Institute of Internal Auditors. For permission to reproduce, please contact The IIA at
guidance@theiia.org.
8/11586/MC/MF
www.theiia.org